> On Jan 12, 2017, at 17:33, Randy Bush <ra...@psg.com> wrote: > > mornin' oliver, > >> This most likely would set a bad example for others that might start >> issuing certificates with “infinite” life spans. > > 'zactly > >> In this regards what about a Validity of 365 days within the >> example. This seems feasible to me. > >>> of course that leaves open what lifetime to recommend. we're not >>> gonna do oscp, but rather withdraw from the rpki. so to keep from >>> making too much bgp noise, let me toss out O(year) to start the >>> discussion. > > i can live with a year. i will be interested if others comment. > > i have a vague memory of talking about this before. one needs to deploy > the replacement key in advance, as it can take some time to propagate to > the far corners of the internet. and one probably does not want to > reannounce all one's routes at once. > > a small i-d may be in order.
The CPS really dictates the validity period. Can you check what your RIPE issued RPKI certificates have as a validity date? You’re right that you need to get the replacement cert early to make sure you don’t end up being without a certificate. RFC 6484 recommends 1 week prior to the expiration of the old cert. I think the CPS also allows some addition time to account for this problem. spt _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
